Part 1 — Introduction
1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Department of Immigration and Border Protection’s (DIBP) handling of personal information under Schedule 7 of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Foreign Fighters Act). Schedule 7 of the Foreign Fighters Act allows DIBP officers to seize bogus documents. The purpose of the assessment was to consider whether DIBP is handling personal information throughout the process of seizing bogus documents in accordance with the Australian Privacy Principles (APPs) and where appropriate, make recommendations to assist DIBP to do so. Bogus documents include counterfeit and altered documents, documents that are obtained through fraudulent means and genuine documents presented by a person other than the owner.
1.2 OAIC Assessors examined DIBP’s relevant internal policies and procedures and conducted interviews with key staff to determine the impact of the new arrangements on the handling of personal information in the context of bogus documents (bogus document data).
1.3 The fieldwork component of the assessment was conducted at Sydney Airport and DIBP’s offices in Canberra. Assessors inspected or made enquiries about the operations of key areas involved in the handling of bogus document data, including immigration clearance staff and the Document Examination Units (DEUs) at Sydney Airport and in Canberra.
1.4 The OAIC identified medium privacy risks with DIBP’s personal information handling practices relating to Schedule 7 of the Foreign Fighters Act. The OAIC has therefore made three recommendations to address those risks.
1.5 The first recommendation (see para 4.22) relates to the privacy risk that arises due to DIBP not having assigned an appropriate level of responsibility and accountability for implementing the new powers afforded by Schedule 7. APP 1.2 requires DIBP to take reasonable steps to implement practices, procedures and systems to ensure it complies with the APPs. Assessors consider that this contributed to other privacy risks, such as a lack of effective communication and training across DIBP on personal information handling arising under Schedule 7, as well as inconsistencies within the primary Schedule 7 guidance documentation developed by DIBP, and in staff’s understanding of how the documentation is to be applied.
1.6 Without effective guidance, there is a risk that staff may be unaware of the appropriate ways in which they must meet their obligation under the APPs to collect, use, disclose, secure or destroy personal information when handling bogus document data. The assessors noted some differences between Schedule 7 policies and operational practices conducted by relevant staff, as indicating the potential to lead to non-compliance with other APPs.
1.7 The second recommendation (see 4.23) addresses the need for appropriate safeguards or standards for dealing with bogus data across DIBP offshore posts, again to ensure DIBP takes reasonable steps as required under APP 1.2.
1.8 The third recommendation (see 10.18) addresses DIBP’s need to develop a document destruction policy for seized documents, in order to minimise the risk of misuse, interference, loss and unauthorised access, modification or disclosure and ensure compliance with APP 11.
1.9 Added October 2017: In July 2017, the OAIC conducted a follow-up of the actions taken and progress made by DIBP in response to these three recommendations. In September 2017, DIBP provided a response which outlined the ways in which DIBP has implemented the OAIC’s recommendations. Further details can be found at: Follow-up of DIBP’s implementation of the recommendations
1.10 The Foreign Fighters Act amended the Migration Act 1958 (Migration Act) and Australian Citizenship Act 2007 (Citizenship Act) to introduce a range of measures designed to strengthen and improve Australia’s counter-terrorism legislative framework. In particular, Schedule 7 of the Foreign Fighters Act introduced the power to seize documents presented or provided to DIBP that are bogus. The amendments commenced on 4 November 2014.
1.11 In its advisory report of October 2014, the Parliamentary Joint Committee on Intelligence and Security recommended that the Privacy Commissioner undertake a privacy assessment of the data collected and stored by the Department of Immigration and Border Protection. It particularly asked the Privacy Commissioner to consider the collection, storage, sharing and use of that data.
1.12 On 26 June 2015, DIBP provided the OAIC with a copy of its draft Privacy Impact Assessment (PIA) regarding Schedule 7 of the Foreign Fighters Act. On 6 August 2015 the OAIC provided comments to DIBP on the PIA. At the time of this assessment, DIBP were still finalising the PIA. A final copy was provided to the OAIC on 3 November 2015.
1.13 The assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth) (the Privacy Act) which allows the OAIC to assess whether personal information held by an APP entity is being maintained and handled in accordance with the APPs.
Part 2 — Description of assessment
Objective and scope
2.1 The objective and scope of the assessment was to:
- identify DIBP’s arrangements for the handling of personal information throughout the process of seizing bogus documents
- assess whether the arrangements are consistent with DIBP’s obligations under the APPs.
2.2 The OAIC assessed the end-to-end process for bogus document seizure. Although all APPs were considered, the assessment focussed on DIBP’s compliance with APP 1 (open and transparent management of personal information), APP 3 (collection), APP 5 (notification), APP 6 (use and disclosure) and APP 11 (security of personal information) during the bogus document seizure process. However, the scope did not include:
- a detailed examination of DIBP’s IT systems
- an assessment of DIBP’s handling of personal information in relation to documents that are not bogus
- consideration of records disposal or retention requirements under the Archives Act 1983 (Cth).
Timing, location and assessment techniques
2.3 The assessors conducted the fieldwork component of the assessment on:
- 9 October 2015, at Sydney Airport, Airport Drive, New South Wales
- 12 October 2015, at DIBP’s offices in Belconnen, Australian Capital Territory.
2.4 The assessment was conducted as a review of key policy, procedural and training documents provided by DIBP. Assessors also utilised the following techniques:
- a site inspection of DIBP’s facilities relevant to the handling of bogus document data at Sydney Airport and at the National Office in Canberra
- semi-structured interviews with key staff to assess the arrangements for handling bogus document data.
Information obtained during the assessment
2.5 DIBP provided a range of documents before and during the assessment that were relevant to its arrangements for handling bogus document data. These documents are listed at Appendix A.
2.6 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix B. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.
2.7 The assessors have made three recommendations to address medium privacy risks identified during the course of the assessment. A recommendation is a suggested course of action or a control measure that, if put in place by DIBP, will (in the opinion of the OAIC) minimise the privacy risks identified around how bogus document data is handled.
2.8 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege.
2.9 This report has been published in full.
Part 3 — Overview of DIBP’s operations
Schedule 7 of the Foreign Fighters Act
3.1 DIBP’s mission is:
To protect Australia’s border and manage the movement of people and goods across it.
3.2 DIBP contributes to three principal Government outcomes:
- Strong national security—protect Australia’s sovereignty, security and safety by managing its border, including through managing the stay and departure of all non-citizens.
- A strong economy—advance Australia’s economic interests through the facilitation of the trade of goods to and from Australia and the collection of border revenue.
- A prosperous and cohesive society—support a prosperous and inclusive society, and advance Australia’s economic interests through the effective management of the visa and citizenship programmes and the provision of refugee and humanitarian assistance. 
3.3 The amendments enacted by Schedule 7 of the Foreign Fighters Act enable DIBP officers to seize bogus documents that are presented (or given, produced or provided) to officers. Bogus documents are ordinarily presented or provided to DIBP officers when individuals apply for a passport or visa, or (to front line staff) when travelling internationally at an airport.
3.4 Prior to the commencement of Schedule 7 of the Foreign Fighters Act, Australian and foreign passports could be seized under the Australian Passports Act 2005 (Passports Act) and the Foreign Passports (Law Enforcement and Security) Act 2005 (Foreign Passports Act). These powers were held by the Department of Foreign Affairs and Trade and the former Australian Customs and Border Protection Service, and delegated to DIBP officers. Schedule 7 of the Foreign Fighters Act complements the pre-existing powers by providing authority for the seizure of Australian and foreign passports under the Migration Act and, significantly, a new power to seize documents other than passports (e.g. national ID cards).
Legislative basis for seizure of bogus documents
3.5 The seizure of bogus documents is authorised under ss 487ZI and 487ZJ of the Migration Act, inserted by Schedule 7 of the Foreign Fighters Act.
3.6 Section 487ZI provides that:
(1) A person (whether citizen or non-citizen) must not give, present, produce or provide a bogus document to an officer, an authorised system, the Minister, a tribunal or any other person or body performing a function or purpose under, or in relation to, this Act (the official), or cause such a document to be so given, presented, produced or provided.
(2) A bogus document given, presented, produced or provided in contravention of subsection (1) is forfeited to the Commonwealth.
3.7 Subsection 487ZJ(2) provides that:
If an officer reasonably suspects that a document is forfeited under subsection 487ZI(2), then the officer may seize the document.
Description of Sydney Airport operations
3.8 Seizure of bogus documents is undertaken by DIBP officers responsible for the facilitation of passenger processing and the interception of travellers who may pose a risk to border integrity.
3.9 In deciding whether to seize a potentially bogus document, Forensic Document Examiners (FDEs), operating within DEUs, assist case and frontline officers to determine whether a document is bogus. DEUs also provide document assessment training to other DIBP officers. There are 10 DEUs nationally, including one situated within Sydney airport.
3.10 Documents presented to DIBP officers at Sydney Airport are primarily passports. However, the DEU receives and examines other documents such as international mail and identity documents referred from other locations.
3.11 Assessors observed a number of operational areas within Sydney airport, including the primary line/SmartGate processing, interview rooms, secure offices and document examination laboratory.
3.12 Assessors were taken on a walkthrough of the seizure process for arriving passengers. DIBP confirmed that the process for departing passengers is broadly similar. Generally, the following occurs during the process for seizing a bogus document:
- Advanced passenger processing triggers alerts for high risk passengers , so as to notify DIBP front line staff.
- Passenger presents their passport at the airport primary line or SmartGate. Passports that fail the SmartGate reader will be required to use the primary line.
- DIBP officer at the primary line scans the passport through a passport reader that retrieves information from the electronic chip and the biographical data page. The officer performs a facial recognition check against the passport photo that is retrieved by the reader.
- A failed scan requires the passenger presenting their passport to move to a second DIBP officer immediately behind the primary line. Another scan is taken using a second passport reader.
- If the scan fails again, a third DIBP officer (trained in document examination techniques) examines the passport. If it is suspected to be bogus, the passenger is asked to wait in a nearby seated area or in the secured interview area.
- If required, the passenger is then interviewed and a trained DIBP officer examines the passport. If an FDE is available, they will also examine the passport either inside the DIBP officer’s office, or within the DEU.
- Following the interview and examination of the passport, a decision is made on whether to seize it. Outside of standard business hours, an FDE may not be available, and the duty supervisor (trained in document examination techniques) will make the decision. If the passport is seized, a seizure notification letter is provided to the passenger and the passport is transferred to the DEU, or stored in the supervisor’s office until an FDE is available to collect it.
- The DEU laboratory contains equipment to support the forensic examination of documents to determine their authenticity. The laboratory also provides a secure storage facility.
- Copies of seized passports are made for a file record. The document is also entered into the electronic Forensic Case Management System and may be further examined.
- Generally, passports are retained indefinitely at the DEU, unless a request is received by a foreign authority for the document to be returned.
3.13 Documents may be also referred to the Airport DEU from other regional DIBP offices. Basic details of the document are first input into an online referral form by the DIBP officer, before the document is delivered to the airport.
Description of DIBP’s National Office
3.14 DIBP’s National Office in Canberra houses policy officers and case officers. On the policy side, the former Identity Policy Team oversaw the development of Schedule 7 of the Foreign Fighters Act, but do not have ongoing policy responsibility for the power. The Law Enforcement Strategy Team coordinated the development of a Privacy Impact Assessment on Schedule 7 of the Foreign Fighters Act. DIBP case officers are responsible for the day-to-day handling of visa and citizenship applications. Case officers receive an individual’s identification documents, including possible bogus documents, in support of these applications.
Description of the National Office DEU’s operations
3.15 The National Office DEU is located within DIBP’s main office in Belconnen, ACT. It contains equipment to support the forensic examination of documents to determine their authenticity. The laboratory also provides a secure storage facility. The National Office generally also handles documents referred from DIBP officers within the ACT.
3.16 Generally, a seizure is conducted following the process below:
- An individual submits identity documentation to support their application for a visa or citizenship, and is received by a DIBP case officer.
- If that case officer is unsure about the authenticity of a document, an online referral form is submitted by the case officer, and the document is delivered to the National Office DEU by internal mail or in person. The DEU accepts the case and an acknowledgement email is sent to the case officer that referred the document.
- A case file is opened on the Forensic Case Management System, and is allocated to an FDE. Basic details of the case are also saved to TRIM (DIBP’s electronic file system), which the referring officer can view. The FDE also adds a scanned copy of the document to the file, however access to this is restricted from the DIBP case officer.
- The FDE then performs an examination of the document, and prepares a report based on the examination. A second FDE then performs a technical review of the report, as part of the quality assurance process.
- The final report is attached to TRIM, which allows all DIBP staff to view the report.
- The original FDE will send a copy of the final report to the DIBP case officer, with advice on the legitimacy of the document, which is used by the officer to determine whether or not the case officer should seize the document.
- Documents determined to be bogus are stored at the DEU within a secure room.
Part 4 — Assessment issues: Open and transparent management of personal information
Observations on practices, procedures and systems
4.3 During interviews with National Office staff, assessors were advised that communication to Departmental staff of the enactment of the new Schedule 7 power occurred in November 2014. However assessors were also advised that shortly after this, the responsibility for the implementation and ongoing management of Schedule 7 was not assigned to a specific section within DIBP. National office staff acknowledged that this contributed to a lack of effective communication to staff implementing the Schedule 7 power.
4.4 Interviews with staff at Sydney Airport and the National Office identified an initial lack of awareness of the Schedule 7 power and/or a lack of clarity as to whether they were able to use it. Furthermore, staff interviewed by assessors could not identify a specific date when DIBP officers began using the new power.
4.5 Assessors note that DIBP had pre-existing practices, procedures and systems for the handling of passports seized under the Passports Act and Foreign Passports Act. These pre-existing practices, procedures and systems are also being used to handle bogus document data under Schedule 7 of the Foreign Fighters Act.
4.6 The Standard Operating Procedures – Seizing and Retaining Bogus Documents (SOP) and Procedures Advice Manual: Identity, Biometrics and Immigration Status - False identities and/or Bogus Documents (PAM3) are the primary resources available to DIBP officers on seizing bogus documents. Assessors reviewed these documents prior to undertaking fieldwork activities. The documents are generally easy to read, however, assessors note:
- The SOP and PAM3 lack some clarity when defining the roles of the case officer and the FDEs/DEUs and do not fully reflect the practice of officers. For example, there appears to be discrepancies as to whether bogus document should be sent to an FDE for examination before or after its seizure.
- In practice, officers need to seize documents on weekends and after standard business hours because FDEs are not available to review documents, which is not reflected in the SOP and PAM3.
- The SOP and PAM3 refer to bogus documents being ‘forfeited’, ‘seized’ and ‘retained’. These terms are not clearly defined in the SOP and PAM 3, while the term ‘retained’ is not used in the legislation.
4.7 DIBP officers posted offshore determine whether a document is bogus. Offshore posts are able to refer documents to FDEs, but do not have face-to-face access to DEUs. However, DIBP officers undergo a three-day training course on forensic document examination (conducted by FDEs) prior to being posted offshore.
4.8 The SOP and PAM3 advise that DIBP offshore posts are ’required to establish appropriate internal review processes to ensure that ‘genuine’ documents are not inappropriately seized’. DIBP advised assessors that the practices, procedures and systems for offshore posts are dependent on the characteristics of each post, and that the diversity of offshore posts requires a flexible approach for handling bogus documents.
4.9 DIBP advised that offshore posts are less likely to seize documents than their counterparts in Australia. DIBP staff also advised that although offshore staff do not have access to DEUs, they would have greater familiarity in examining locally issued documents and have more options to investigate the authenticity of documents, for example, by contacting the issuing authority directly.
Privacy issues in relation to practices, procedures and systems
4.10 The OAIC noted some privacy risks that the assessors consider arise where there is a lack of clear responsibility for the implementation and ongoing management of the Schedule 7 power.
4.11 Assessors consider that the absence of clear responsibility for the implementation and ongoing management of Schedule 7 (post- November 2014) is itself a medium privacy risk of DIBP not having taken reasonable steps to implement practices, procedures and systems to ensure it complies with the APPs, as required by APP 1.2.
4.12 Beyond the risk of non-compliance under APP 1.2, the absence of responsibility for the implementation and ongoing management of Schedule 7 has also led to associated risks of breaching other APPs.
4.13 Firstly, assessors noted a lack of awareness of the power’s existence and its implementation at Sydney Airport. Specifically, DIBP staff at both Sydney Airport and the National Office could not identify when the use of the Schedule 7 power commenced. This indicates there may not have been effective communication about the new powers to DIBP staff that may be utilising those powers. In addition there was no formal training of staff on how to implement the new Schedule 7 power.
4.14 Where staff are inadequately informed and trained on the use of the new power, DIBP risks failing to meet the requirement to take reasonable steps to implement procedures, practices and systems that will ensure DIBP complies with the APPs, as required by APP 1.2.
4.15 The practical implication of DIBP staff not being fully informed and trained is the risk that bogus data may not be handled in accordance with the APPs. Whilst assessors did not observe any inappropriate handling of bogus document data during the assessment, the risk to DIBP not complying with the APPs, as a result of inadequately informed and trained staff, remains. The effect of these risks on the handling of personal information is also discussed in Parts 9 and 10 of this Report.
4.16 Secondly, assessors also note that the SOP and PAM3, as the primary resources on the seizure of bogus documents, could provide greater clarity to DIBP officers, particularly in regards to the roles of DIBP front-line/ case officers, and FDEs.
4.17 Assessors note that the SOP and PAM3 offer a range of advice to DIBP officers on how to appropriately handle bogus documents. However, assessors also note that the SOP and PAM3 do not explicitly state that, under Schedule 7, a bogus document does not require an FDE/DEU inspection before it is seized. As a result, National Office staff advised that FDEs provide supporting advice to case officers who are ultimately responsible for making a final determination of whether to seize a document. In contrast, Sydney Airport staff understood the SOP and PAM3 required them to ask an FDE/DEU to examine a document before staff could seize it, unless an FDE/DEU was unavailable to do so (e.g. outside of DEU business hours). This may be addressed by the SOP and PAM3 identifying the circumstances when a seizure may take place prior to FDE examination, and the circumstances where it would be appropriate for this to occur.
4.18 Assessors therefore consider that, in addition to the medium risk of DIBP not having taken reasonable steps under APP 1.2, the ambiguities in this document may also contribute to risks of breaching other APPs.
4.19 Assessors acknowledge that DIBP has drafted a ‘Departmental Policy Management Framework’, which aims to address governance issues for departmental policy ownership. A copy of this document was provided to OAIC in October 2015 however this framework was yet to be finalised and implemented at the time of assessment.
4.20 Assessors acknowledge that offshore posts vary in their size and circumstance. However, DIBP has not provided sufficient information to show that appropriate safeguards or standards are in place to ensure appropriate handling of bogus document data offshore, except that offshore posts receive training from DEUs prior to departure.
4.21 Assessors consider that the disparate arrangements currently in place across offshore posts combined with a lack of documented assurance process creates a medium risk DIBP is not taking reasonable steps as required by APP 1.2. Further discussion on the risks to security of personal information handled by offshore posts is discussed in Part 10 of this Report.
4.22 Assessors recommend that DIBP introduce governance measures to ensure an appropriate level of responsibility and accountability for the oversight and implementation of appropriate practices, procedures and systems for handling personal information in accordance with Schedule 7 of the Foreign Fighters Act. This should include responsibility for:
- appropriate training to communicate and educate all affected DIBP staff on the appropriate use of the new power under Schedule 7 of the Foreign Fighters Act
- review, and maintenance, of the SOP and PAM3 to ensure clear and consistent guidance is available to affected staff on appropriate procedures for the seizure of bogus document data.
4.23 Assessors recommend that DIBP review its bogus document handling practices, procedures and systems for offshore posts to ensure that appropriate safeguards or standards are implemented across the posts to ensure appropriate personal information protections.
Part 5 — Assessment issues: Collection of solicited personal information
5.1 Under APP 3, for solicited personal information (other than sensitive information), an APP entity that is an agency, may only collect this information where it is reasonably necessary for, or directly related to, the agency’s functions or activities.
5.2 APP 3 contains different requirements for the collection of sensitive information. Unless an exception applies, an APP entity may only collect sensitive information where the conditions referred to in 5.1 are met and the individual concerned consents to the collection.
5.3 Personal information must only be collected by lawful and fair means.
Observations on collection of solicited personal information
5.4 Documents are provided to DIBP front line staff upon arrival at immigration clearance within Sydney airport. Assessors understand that limited personal information is collected when a passport is scanned by a passport reader. Further, additional personal information in a bogus document is collected when a decision is taken to seize the document.
DIBP National Office
5.5 Documents are presented to DIBP officers to support a client service function – including visa applications, immigration clearance, citizen applications, visa sponsorship and other transactions. Documents may be provided to DIBP in person, by mail and by electronic means. Personal information is collected when documents are received by DIBP.
5.6 Personal information collected may include sensitive information. However, where provided to support a client service, consent is provided by the individual.
Privacy issues in relation to collection of personal information in bogus documents
5.7 Assessors note that personal information in bogus documents is collected in accordance with the powers introduced under Schedule 7 of the Foreign Fighters Act, and by the Migration Act and Citizenship Act more generally. The assessors view was that the collection of bogus document is directly related to the agency fulfilling its client service functions and border security activities. Assessors did not identify any privacy risks that warranted the making of a privacy recommendation.
5.8 Assessors note there may be a risk of inappropriate collection of personal information if a bogus document is found during a search of a person or their belongings when that person goes through the immigration clearance process.
5.9 The power to seize a bogus document under Schedule 7 covers situations where a person gives, presents, produces or provides a bogus document to DIBP. DIBP could consider whether officers that may conduct searches are appropriately informed of the use of the bogus document seizure power, specifically on whether they are able to rely on Schedule 7, in certain circumstances, to seize documents they find through a search of a person or their belongings.
5.10 However, the practices and policies for collecting information in a document obtained through a search where a person does not give, present, produce or provide the document to a DIBP officer are outside of the scope of the OAIC assessment of Schedule 7. As such, assessors did not consider this issue in detail during the assessment process.
Part 6 — Assessment issues: Notification of the collection of personal information
6.1 APP 5 relates to privacy notices. An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters.
6.2 An APP entity must take reasonable steps before or at the time it collects personal information. If this is not practicable, reasonable steps must be taken as soon as practicable after collection.
Observations on notification of the collection of personal information
6.3 Assessors observed signs and notices posted in a number of different languages in areas of the airport before the primary line that highlight DIBP’s information handling practices and which provide the webpage address of DIBP’s privacy notice.
6.4 DIBP staff advised that passenger and arrival cards are provided in a number of different languages, highlight DIBP’s information handling practices and provide the webpage address of DIBP’s privacy notice.
6.5 DIBP staff advised that following inspection of a suspected bogus document in the DIBP office or the DEU, a template seizure notice is completed by a DIBP officer and provided to passengers at the time of seizure. The notice provides the reasons for seizure, including details of the relevant provisions of the Migration Act, action that the individual may take in response to the seizure, and contact details for the officer issuing the notice. DIBP provided assessors a copy of the template seizure notice prior to the fieldwork.
DIBP National Office
6.7 A seizure notice is provided when a document is seized (the same as above for passengers at Sydney airport).
Privacy issues in relation to the notification of the collection of personal information
6.8 Assessors considered that DIBP’s privacy notice contains the matters required for a notice under APP 5.2, in the context of Schedule 7.
6.9 Assessors took the view that DIBP’s current practices of providing the website address to their privacy notice on passenger cards, migration forms and airport signs meet the requirements of APP 5.
6.10 In addition to the privacy notice, Section 487ZJ of the Migration Act also requires a notice to be given to an individual by an officer who has seized their document, and specifies the details to be included in the notice (a seizure notice). The details required by s 487ZJ(3) are consistent with the requirements of APP 5.
6.11 Whilst the content of the seizure notice is outside of the scope of the OAIC assessment, assessors note that any document seizure that occurs without the provision of this notice, as a requirement under Section 487ZJ of the Migration Act, may risk breaching APP 3.5 which states that an APP entity must collect personal information only by lawful and fair means.
Part 7 — Assessment issues: Use or disclosure of personal information
7.1 APP 6 outlines when an APP entity may use or disclose personal information. An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.
Observations on use or disclosure of personal information
7.2 Personal information in bogus documents is used for immigration clearance purposes for incoming and departing passengers. Bogus document data may be disclosed to other government agencies, such as the Australian Federal Police and the Department of Foreign Affairs, for further investigation.
DEU – Sydney Airport and National Office
7.3 Documents are examined to make determinations on the authenticity of the document, and are used as part of an immigration clearance process. Documents are provided to DIBP to support client service functions, including visa applications, immigration clearance, citizenship applications, visa sponsorship, status resolution and other transactions.
7.4 The personal information in seized documents (including the document itself) may be disclosed to other government agencies, such as the Australian Federal Police and the Department of Foreign Affairs, for further investigation. The document may also be returned to the issuing authority overseas.
7.5 Seized documents are also used for education and training purposes. However, documents may be de-identified before a scanned copy is sent electronically as an alert to FDEs across the country.
Privacy issues in relation to use or disclosure of personal information
7.6 The uses and discloses of personal information in bogus documents by DIBP that the assessors observed or considered were in accordance with the primary purpose for which they were collected, in accordance with Schedule 7 of the Foreign Fighters Act and the Migration Act, and are consistent with APP 6.
Part 8 — Assessment issues: Cross-border disclosure of personal information
8.1 APP 8 and s 16C of the Privacy Act create a framework for the cross-border disclosure of personal information. The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs, and makes the APP entity accountable if the overseas recipient mishandles the information.
Observation on cross-border disclosure of personal information
DEU – Sydney Airport and National Office
8.2 The personal information in seized documents may be disclosed to the issuing authority overseas, or the document itself returned. The DEU noted that it would only respond to requests to return documents, but would not initiate the process.
DIBP National Office
8.3 DIBP staff advised that the non-binding international treaty – the Convention on International Civil Aviation – provides that seized documents should be returned to the issuing authority. However, it is not a legislative requirement to return all documents. An example of where a document would not be returned is where the individual is applying for a protection visa in Australia.
8.4 DIBP staff advised that where an officer has concerns with returning a document to an issuing authority overseas, they are able to view the case file to see whether the person has applied for or received a protection visa. Officers are also able to contact an internal DIBP legal team for advice on returning the document to the issuing authority.
8.5 The SOP states that ‘Requests for retained bogus documents to be returned to a foreign diplomatic mission or issuing authority should be handled by the DEU (or the offshore post), taking into consideration any relevant privacy legislation, obligations regarding refugee conventions and other international obligations – for example, the International Civil Aviation Organisation (ICAO) Chicago Convention.’ PAM3 provides similar guidance.
Privacy issues in relation to cross-border disclosure of personal information
8.6 An agency may disclose personal information to an overseas recipient where the disclosure is ‘required or authorised by or under an international agreement relating to information sharing to which Australia is a party’ (APP 8.2(e)). As noted above, the Convention on Civil Aviation provides that seized documents should be returned to the issuing authority and DIBP may return seized foreign passports accordingly. Assessors did not identify any privacy risks that warranted the making of privacy recommendation.
Part 9 — Assessment issues: Quality of personal information
9.1 Under APP 10, an APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
Observations on quality of personal information
9.2 Bogus documents are presented to DIBP for immigration clearance and provided to DIBP to support applications for visas and other purposes. Copies of these documents are included in an individual’s case file.
9.3 DIBP advised assessors that certain DIBP officers receive training from DEUs on identifying bogus documents and facial recognition training. FDEs are trained in forensic document examination techniques and DEUs have responsibility for forensic examination of documents to make final determinations on whether a document is bogus. Assessors also note that FDE reports at the National Office DEU are reviewed by a second FDE as part of the quality assurance process.
Privacy issues in relation to quality of personal information
9.4 Assessors note that the seizure and examination of documents that are suspected of being bogus enhances the quality of personal information the department holds, provided that documents that are suspected or confirmed to be bogus are clearly marked or flagged in DIBP files and systems. The quality of personal information in DIBP records can also be enhanced if a greater proportion of bogus documents are seized, as the individual presenting the bogus document is correctly identified and the document is removed from circulation.
9.5 As noted in Part 4 of this Report, the absence of ongoing policy responsibility for the seizure power results in a risk that staff are not adequately informed and trained in the appropriate handling of bogus document data.
9.6 Recommendation one addresses this risk.
9.7 Assessors also note a risk to the quality of personal information collected that arises from an inconsistent approach to offshore seizures. As noted in Part 4 of this Report, whereas officers in Australia have greater access to DEUs to provide further support in determining whether a document is bogus, offshore posts rarely refer documents to a DEU. Offshore posts also do not have standard procedures for document seizure.
9.8 This may affect the quality of personal information collected by increasing the risk that genuine documents may be seized or bogus documents are handled in different ways across offshore posts. This risk is somewhat mitigated by offshore posts receiving training by DEUs and access to local knowledge relating to locally issued documents.
9.9 Recommendation two addresses this risk.
Part 10 — Assessment issues: Security of personal information
10.1 Under APP 11, an APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
Observations on security of personal information
10.2 Assessors observed that, upon presenting a passport at the airport primary line, passengers remain with the DIBP officer sighting or examining their document. Further, that passenger follows the document to the area behind the primary line if it is handed from the primary line officer to another officer for a second inspection.
10.3 If further concerns remain after a document has been scanned behind the primary line, the passport is taken to an open plan office next to DIBP interview rooms. Access to the office and interview rooms is restricted using security passes, which are only available to certain DIBP officers.
10.4 Seized documents are transferred from the office to the DEU laboratory in person. Before delivery, while in the office, documents are placed in a safe or (at times) will be in an envelope on top of a desk or cabinet.
10.5 Access to the DEU is restricted using security passes and CCTV surveillance cameras in operation in the hallway leading to the DEU facilities. Documents are either stored in a room only accessible from a laboratory which is also secured using access passes, or in safes located near the laboratory.
10.6 Access to computers requires users to login using a password. DIBP advised that full access to the Forensic Case Management System is limited to DEU staff. However, basic information about cases is available more generally to DIBP staff with access to the Forensic Case Management System.
10.7 DIBP staff advised that a training day is conducted monthly for airport frontline staff. However, no training has been conducted in relation to Schedule 7.
National Office DEU
10.8 Access to the DEU laboratory is restricted using security passes. Documents are either stored in a room only accessible from the laboratory or in the storage cabinets within the laboratory itself. Assessors observed that a register was kept of all entrants to the laboratory (who do not have their own security pass).
10.9 Access to computers requires users to login using a password.
DIBP National Office
10.10 DIBP were unable to advise whether access to DIBP’s file system (TRIM) was restricted. Unless departmental work areas implement specific restrictions on files, assessors understand that they will be available across the entire department. However, DIBP follows a ‘need to know’ principle in relation to accessing information and there is a ‘read-audit’ function on all TRIM records that allows access to be traced.
10.11 DEUs advised that there was no policy in place for destruction of seized documents and that seized documents are retained indefinitely. DEU staff advised that these documents are used for training and comparison purposes.
Privacy issues in relation to security of personal information
10.12 The absence of overarching responsibility for implementing the new powers afforded by Schedule 7, as discussed in Part 4 of this report, has contributed to a lack of training available to affected staff at Sydney Airport on the appropriate use of the new power, and subsequent handling of the resulting personal information.
10.13 Assessors consider there is a medium risk of breaching APP 11 resulting from the lack of training available to affected staff. This raises the risk of misuse of bogus document data, as staff may not be aware of any changes to information handling practices when seizing documents, or may not be aware that the SOP and PAM3 provide guidance on use of the new power.
10.14 Recommendation one addresses this risk.
10.15 Assessors note that there is no document destruction policy and that both the Sydney Airport and National Office DEUs held documents indefinitely. Assessors acknowledge that seized documents are useful as education and training material. However, consideration should be given to whether all documents seized are required to be permanently held. Assessors consider there is a medium risk of breaching APP 11 resulting from the absence of a destruction policy in relation to bogus documents. Assessors note that a destruction policy would need to take into account requirements under the Archives Act 1983 and any other legal requirements.
10.16 Assessors note that DIBP’s file system (TRIM) allows for access to be restricted. However, interviewees were not aware of any restrictions on case files where information in relation to bogus documents is attached. As a result it is possible that a case file and the personal information contained within it may be accessible by any DIBP officer (subject to DIBP’s ‘need to know’ principle that applies to accessing information).
10.17 Assessors note that a detailed examination of DIBP’s IT systems was not undertaken within the scope of the assessment. However, DIBP may wish to consider whether access restrictions are warranted for bogus document data to ensure that personal information is appropriately secured. The OAIC’s Guide to securing personal information may assist in assessing whether reasonable steps have been taken to protect personal information from unauthorised access.
10.18 Assessors recommend that DIBP establish a document destruction policy for seized documents.
Part 11 — Summary of recommendations
Recommendation 1 — Ensure policy governance ownership is identifiable
11.1 Assessors recommend that DIBP introduce governance measures to ensure an appropriate level of responsibility and accountability for the oversight and implementation of appropriate practices, procedures and systems for handling personal information in accordance with Schedule 7 of the Foreign Fighters Act. This should include responsibility for:
- appropriate training to communicate and educate all affected DIBP staff on the appropriate use of the new power under Schedule 7 of the Foreign Fighters Act
- review, and maintenance, of the SOP and PAM3 to ensure clear and consistent guidance is available to affected staff on appropriate procedures for the seizure of bogus document data.
11.2 DIBP accepts this recommendation.
Recommendation 2 — Review bogus document handling practices, procedures and systems for offshore posts
11.3 Assessors recommend that DIBP review its bogus document handling practices, procedures and systems for offshore posts to ensure that appropriate safeguards or standards are implemented across the posts to ensure appropriate personal information protections.
11.4 DIBP accepts this recommendation.
Recommendation 3 — Establish a document destruction policy for seized documents
11.5 Assessors recommend that DIBP establish a document destruction policy for seized documents.
11.6 DIBP accepts this recommendation.
11.7 As noted at 1.9, the OAIC has conducted a follow-up of the actions taken and progress made by DIBP in response to these three recommendations. Further details can be found at: Follow-up of DIBP’s implementation of the recommendations